Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Files containing "%" cannot be opened #40

Closed
infeo opened this issue Sep 13, 2021 · 2 comments
Closed

Files containing "%" cannot be opened #40

infeo opened this issue Sep 13, 2021 · 2 comments
Labels
bug
Milestone
1.2.6

Comments

@infeo
Copy link
Member

infeo commented Sep 13, 2021

Files containing a % cannot be opened anymore. Activating the debug log level, the following stack trace appears in the log when accessing the file:

org.eclipse.jetty.http.BadMessageException: 400: Ambiguous path encoding in URI
	at org.eclipse.jetty.server.Request.setMetaData(Request.java:1706)
	at org.eclipse.jetty.server.HttpChannel.onRequest(HttpChannel.java:794)
	at org.eclipse.jetty.server.HttpChannelOverHttp.headerComplete(HttpChannelOverHttp.java:332)
	at org.eclipse.jetty.http.HttpParser.parseFields(HttpParser.java:1226)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1511)
	at org.eclipse.jetty.server.HttpConnection.parseRequestBuffer(HttpConnection.java:384)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at org.eclipse.jetty.io.SocketChannelEndPoint$1.run(SocketChannelEndPoint.java:101)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:378)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at java.base/java.lang.Thread.run(Thread.java:831)

This bug first appeared when updating jetty from 10.0.2 to 10.0.3 in 99594ed.
@infeo infeo added the bug label Sep 13, 2021
@infeo infeo added this to the 1.2.6 milestone Sep 13, 2021
@infeo
Copy link
Member Author

infeo commented Sep 13, 2021

It is caused by a security fix in jetty for GHSA-v7ff-8wcx-gmc5.

Without configuration, jetty is now stricter than RFC 3986 when parsing URLs and blocks certain rfc3986-valid URLs. For more info, see also jetty/jetty.project#6003 and jetty/jetty.project#6132

@infeo
Copy link
Member Author

infeo commented Sep 13, 2021

Fixed in 101b963 by allowing AMBIGUOUS_PATH_SEPERATOR and AMBIGUOUS_PATH_ENCODING (see http://www.eclipse.org/jetty/javadoc/jetty-10/org/eclipse/jetty/http/UriCompliance.html and its VIOLATION subclass)

@infeo infeo closed this as completed Sep 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
1.2.6
Development

No branches or pull requests
1 participant
@infeo